473,327 Members | 2,081 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,327 software developers and data experts.

$_SESSION Variables

TheServant
1,168 Expert 1GB
If someone knows what I have called my variables stored in a session, would it be easy to fake those variables?

So $_SESSION['username'] is my variable which I use to recall info from the database. If someone faked that name with someone elses, they will be able to see the other persons account?
Apr 28 '08 #1
5 1263
ronverdonk
4,258 Expert 4TB
Not unless he/she is able to hijack your session by stealing the sessionID.
See also article the truth about sessions by Chris Shiflett.

Ronald
Apr 28 '08 #2
TheServant
1,168 Expert 1GB
Cheers Ron,
I will have a read and get back if I have anymore questions.
Apr 28 '08 #3
ronverdonk
4,258 Expert 4TB
Okay, read that and you'll see how to protect your sessions. Also pay attention to the fact that you could try a hijack using JavaScipt when sessions are stored in a cookie.
It is cumbersome, but using a database (like MySQL) to store your session data, would be more secure.

ronald
Apr 28 '08 #4
TheServant
1,168 Expert 1GB
Besides fingerprinting the browser, I didn't find what I was looking for.
I can check it at home, but different tabs (not windows) in the browsers: do they each create a new session_id?
What about if I leave one website (not signing out) and just goto another website, it will still be the same session won't it?
That would mean that my session variables are still there and accessable on the new website?

Do you recommend storing the session id and browser in MySQL, and if the user session id and/or browser does not match then prompt for a password to overwrite that database values?

Sorry for all the questions, but I am finding too many holes which someone who knew what they were doing could get by.
Apr 28 '08 #5
TheServant
1,168 Expert 1GB
I am now thinking that I have this whole session understanding wrong because of a very fundamental error. The session is given by the server, not the browser? So where are session id's stored whole you go to another site?

For example, how does it work when I am at one site with a set of variables (session_id_a) and then goto another site with another set of variables (session_id_b), and then go back to the original site and still have my original variables? Is it the browser that stores session_id_a --> site_1 and session_id_b --> site_2?

So does that mean to hijack a session, the attacker would need to wait until one is issued to a user, find out what that id is somehow and then submit that session_id as well as the checks that I have ($_SESSION['username'] and $_SESSION['password']) which cannot be found unless they can get my server to run a script which exposes the variables inside the session (is that hard)?
Apr 29 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

2
by: Pedro Fonseca | last post by:
Greetings everyone! I'm porting everything to PHP5. I have session variables in all of my web application. Until PHP5 I was using session variables like: if ($_SESSION == 'Bar') { $value = 5;...
15
by: mammothman42 | last post by:
hi i've got a basic user register form, action="POST". in my php code (on the same page, i store the $_POST stuff to a $_SESSION if the user screws a field up so they don't have to reenter all...
4
by: Tom | last post by:
A small problem that has me kinda baffled. This is the situation: I've set up a self-submitting form FORM.PHP. Once the inputs are validated, the info gets put in SESSION variables and the...
2
by: Tom | last post by:
I put together a code that checks for 2 post variables then stores them in a multi-dim $_SESSION array, something like this: If ( isset($_POST && isset($_POST) ) { $_SESSION = $_POST;...
4
by: comp.lang.php | last post by:
This is an urgent request (as always) generate_admin_customer_position_dropdown($customerResult, $customerResult->id); print_r($_SESSION); This code will generate an HTML dropdown as...
5
by: comp.lang.php | last post by:
Is it possible to access values preset from $_SESSION from within a CLI PHP page? If so, how is it done? Each time I try to access $_SESSION is an empty array; the moment I leave the CLI PHP and...
4
by: dpinion | last post by:
Greetings, I am trying to do some simple session stuff. However it does not seem as though the session variable is being created for my site. I am running the latest version of PHP and apache that...
4
by: Daz | last post by:
Hi everyone. I'm just wondering if it's considered bad practice to have a class read from and write to the $_SESSION super global. I was just learning a little about object serialization, and I've...
3
by: JRough | last post by:
I want to save two variables in a $_SESSION for use in another page: $_SESSION = $mark; $_SESSION = $num; then on the other page I did this to get the value: $mark =$_SESSION; $num =...
4
TheServant
by: TheServant | last post by:
Hi guys, This is my situation. I have 3 sets of data used on every page of my website. Two of these never change, and the reason they are stored in MySQL and recalled into the $_SESSION variable is...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.